Control Logic Forensics Framework using Built-in Decompiler of Engineering Software in Industrial Control Systems

pdf

ABSTRACT

In industrial control systems (ICS), attackers inject malicious control-logic into programmable logic controllers (PLCs) to sabotage physical processes, such as nuclear plants, traffic-light signals, elevators, and conveyor belts. For instance, Stuxnet operates by transfering control logic to Siemens S7-300 PLCs over the network to manipulate the motor speed of centrifuges. These devestating attacks are referred to as control-logic injection attacks. Their network traffic, if captured, contains malicious control logic that can be leveraged as a forensic artifact. In this paper, we present Reditus to recover control logic from a suspicious ICS network traffic. Reditus is based on the observation that an engineering

software has a built-in decompiler that can transform the control logic into its source-code. Reditus integrates the decompiler with a (previously-captured) set of network traffic from a control-logic to recover the source code of the binary control-logic automatically. We evaluate Reditus on the network traffic of 40 control logic programs transferred from the SoMachine Basic engineering software to a Modicon M221 PLC. Our evaluation successfully demonstrates that Reditus can recover the source-code of a control logic from its network traffic.

BIO

Syed Ali Qasim is a fifth-year PhD student at Virginia Commonwealth University where he works on problems in the area of Cybersecurity and Digital Forensics at the SAFE lab under the guidance of Dr. Irfan Ahmed. Recently, his research has been particularly focused on Industrial Control Systems and Critical Infrastructure Security where he works on discovering vulnerabilities in ICS devices, developing digital forensics tools for investigating network-based attacks on ICS, and creating frameworks for collecting ICS threat Intelligence.

Tags:
License: CC-2.5
Submitted by Irfan Ahmed on